Ok someone needs to tell the CC companies, ETrust and https://www.securitymetrics.com/
RC On 5/6/2012 11:03 AM, Michael Stauber wrote: > Hi Richard, > >> This one is on 5106R but has client hosted php 5.3.8 on the server php >> is 5.1.6 >> >> Description: vulnerable PHP version: 5.3.8 Severity: Area of Concern >> CVE: CVE-2011-4885 >> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4885> Impact: >> Remote attackers may be able to gain unauthorized access to the web >> server, cause a denial of serviceor information disclosure, or execute >> arbitrary code. Resolution PHP should be >> [http://www.php.net/downloads.php] upgraded to 5.2.17 or higher for >> 5.2.x, to 5.3.10 or higher for 5.3.x, and to a version higher than 6.0 >> dev for 6.0.x when available. Note that the PHP project announced the >> end of support for PHP 5.2 with the release of >> [http://www.php.net/archive/2010.php#id2 010-12-16-1 >> <http://www.php.net/archive/2010.php#id2010-12-16-1>] PHP 5.2.16 on 2010 >> December 16. Although there was a >> [http://www.php.net/archive/2011.php#id2 011-01-06-1 >> <http://www.php.net/archive/2011.php#id2011-01-06-1>] PHP 5.2.17 release >> to fix a critical problem on certain vulnerable platforms (CVE-2010-4645 >> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4645>), the >> PHP project encourages users of PHP 5.2 to upgrade to 5.3, and offers a >> [http://us.php.net/migration53] guide to migrating from 5.2 to 5.3. >> Vulnerability Details: Service: http Sent: GET /scripts/ HTTP/1.0 Host: >> www.mydomain.com User-Agent: Mozilla/4.0 Received: X-Powered-By: PHP/5.3.8 > Well, yes. PHP-5.3.8 is quite a bit behind. But the info texts your > "vulnerability checker" dumps there is also outdated by recent events over at > php.net. > > PHP-5.2 is EOL, so the advice to switch to PHP-5.2.17 is rather frivolous. > > PHP 5.3.12 and PHP 5.4.2 have been released three days ago to fix a failed fix > for a CGI related vulnerability that had been around for 7-8 years (it didn't > apply to us as we were not using PHP as CGI). > > So you should switch to PHP-5.3.12 soon if you use a third party PHP like > mine. > -- +---------------------------------------------+ Richard C. Barker Sr. +---------------------------------------------+ _______________________________________________ Blueonyx mailing list [email protected] http://mail.blueonyx.it/mailman/listinfo/blueonyx
